File Include Vulnerability Web For Pentester

Hello friends so it have been a long time since i have updated any new article so here is an other section of the series which we started Web For Pentester .Here are other sections MySql Injection , Directory Traversal

Introduction to File Include Attacks :-

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

Code execution on the web server

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

Denial of Service (DoS)

Sensitive Information Disclosure

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. Source – OWASP

Explanation :-

So the examples included in the lab they are both vulnerable to Local File Inclusion (LFI) and Remote File Inclusion (RFI) so we can easily test for both vulnerabilities on the same place.

Example 1:-

Since LFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters this is the most common example and is mostly the case in most live tests.

So this is the example 1 of the lab.

http://[yourlab]/fileincl/example1.php?page=intro.php

Now this a perfect place where attacker can start his test and the most common approach to test for LFI is to get the /etc/passwd files data from the server.

Typical proof-of-concept would be to load passwd file:

http://[yourlab]/fileincl/example1.php?page=../../../../../etc/passwd

And after this you will get the content of the file.

And for RFI you just need to all the url to your shell (Should be in .txt format on your server) in the parameter.

Example 2 :-

This is also really simple as we talked before in sql injection section and XSS that some security measures regarding the file extension can be bypassed using the null-byte method so the same is the case over here.